Maintained by: NLnet Labs

[Unbound-users] [ben at cuckoo.org: .se disappeared?]

Jelte Jansen
Tue Oct 13 00:20:22 CEST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Olaf Kolkman wrote:
> 
> On Oct 12, 2009, at 11:05 PM, David Blacka wrote:
> 
>>
>> On Oct 12, 2009, at 4:44 PM, Stephane Bortzmeyer wrote:
>>
>>> Indeed, it fails for me through Unbound.
>>
>> Me too.  unbound-host reports the following:
>>
>> % unbound-host -f /usr/local/etc/unbound/anchors.mf -vd -t soa se
>> ...
>> [1255381375] libunbound[24020:0] info: Successfully primed trust
>> anchor <SE. DNSKEY IN>
>> [1255381375] libunbound[24020:0] info: Validate: message contains bad
>> rrsets
>> se has SOA record catcher-in-the-rye.nic.se. registry-default.nic.se.
>> 2009101211 1800 1800 2419200 7200 (BOGUS (security failure))
>>
>> oops.
> 
> 
> I managed to replicate the validation failure at the apex. SE also
> contains a TXT record at its apex. That seems to validate correctly.
> 

yup, it seems only the SOA is bad:


jelte at dragon:~> drill -4 -S SOA se. @i.ns.se.
;; Chasing: se. SOA
Warning: No trusted keys specified


DNSSEC Trust tree:
se. (SOA)
|---Bogus DNSSEC signature:
se.	172800	IN	RRSIG	SOA 5 1 172800 20091019014636 20091012162314 12075 se.
nZovZAGx5M4r1o7RXrzJJ+IEfax27GlPnaza0psSvJAY4q5xbF9SrfaBPplG+t2FjjQv3IXT5+C6I7RmQ1R2wrApWGcj/CmQyTig/+sqlC4sBzTlos73ZbLWWcXWctk5lB9Yg/+qaK/BYYPYrHkH/kDu5g20REcA9QUUexwx3aE=
;{id = 12075}
For RRset:
se.	172800	IN	SOA	catcher-in-the-rye.nic.se. registry-default.nic.se. 2009101211
1800 1800 2419200 7200
With key:
se.	3600	IN	DNSKEY	256 3 5
AwEAAcPBjSwyCfRL8c/o/cJAezARNJd7mwcgY2BmyWlpsfhXBPIFh36vOSyacZ1hP+Qg7ycSQhyiyXNrC4aTEaF5JYjgXgRh5rmGtPKt2sj/Me4inmQenlYT25MO63Yx0f6x5HcjBem6TFA7Eca95Jl8GalgG2LV5xO//SOxYV/V5ZSz
;{id = 12075 (zsk), size = 1024b}
|---se. (DNSKEY keytag: 12075 alg: 5 flags: 256)
    |---se. (DNSKEY keytag: 8779 alg: 5 flags: 257)
    |---se. (DNSKEY keytag: 49678 alg: 5 flags: 257)

jelte at dragon:~> drill -4 -S NS se. @i.ns.se.
;; Chasing: se. NS
Warning: No trusted keys specified


DNSSEC Trust tree:
se. (NS)
|---se. (DNSKEY keytag: 12075 alg: 5 flags: 256)
    |---se. (DNSKEY keytag: 8779 alg: 5 flags: 257)
    |---se. (DNSKEY keytag: 49678 alg: 5 flags: 257)

Jelte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkrTq6IACgkQ4nZCKsdOncXb7QCffOjZ2uIBVzaYBafj9SDjTpm2
+WcAn1E65LOpvbQ+M+8qB0sohj/aq1Bc
=TwTH
-----END PGP SIGNATURE-----